b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n            Management Oversight and Component \n \n\n            Participation Are Necessary to Complete \n \n\n                DHS\' Human Resource Systems \n \n\n                       Consolidation Effort \n \n\n\n\n\n\nOIG-10-99                                             July 2010\n\x0c                                                             Office ofInspector General\n\n                                                             U.S. Department of Homeland Security\n                                                             Washington, DC 20528\n\n\n\n\n                                                             Homeland\n                                                             Security\n                                       JUL - 1 2010\n\n                                          Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the department.\n\nThis report addresses the actions DHS has taken and progress made to consolidate\ncomponents\' human resource systems into enterprise-wide solutions to achieve greater\nefficiencies and cost savings. It is based on interviews with selected management\nofficials and contractor personnel, direct observations, system security vulnerability\nassessments, and a review of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. We\ntrust this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all of those who contributed to the preparation of this report.\n\n                                             ~L,~\n                                             Richard L. Skinner\n                                             Inspector General\n\x0cTable of Contents/Abbreviations\nExecutive Summary .............................................................................................................1\n \n\n\nBackground ..........................................................................................................................2\n \n\n\nResults of Audit ...................................................................................................................3\n \n\n\n     Actions Taken to Implement Enterprise-Wide Human Resource Systems ..................3 \n \n\n\n     Management Oversight is Needed to Complete the Consolidation of DHS\xe2\x80\x99 Human \n\n     Resource Systems ..........................................................................................................4 \n\n     Recommendations........................................................................................................12 \n\n     Management Comments and OIG Analysis ................................................................12 \n\n\n     Enhancements Can Be Made to TalentLink\xe2\x80\x99s Technical Controls..............................14 \n \n\n     Recommendations........................................................................................................18 \n \n\n     Management Comments and OIG Analysis ................................................................18 \n \n\n\n     Certification and Accreditation Deficiencies Identified in Human Resource\n\n     Systems ........................................................................................................................21\n\n     Recommendations........................................................................................................24 \n\n     Management Comments and OIG Analysis ................................................................24 \n\n\nAppendices\n     Appendix A:           Purpose, Scope, and Methodology.......................................................26 \n \n\n     Appendix B:           Management Comments to the Draft Report .......................................27 \n \n\n     Appendix C:           Major Contributors to this Report........................................................30 \n \n\n     Appendix D:           Report Distribution ..............................................................................31 \n \n\n\nAbbreviations\n     CBP                 Customs and Border Protection \n \n\n     CIS                 Citizenship and Immigration Services \n \n\n     DHS                 Department of Homeland Security \n \n\n     EIS                 External Information System\n \n\n     E-OPF               Electronic Official Personnel Folder \n \n\n     FEMA                Federal Emergency Management Agency \n \n\n     FLETC               Federal Law Enforcement Training Center \n \n\n     HCBS                Human Capital Business Systems \n \n\n     ICE                 Immigration and Customs Enforcement \n \n\n     NFC                 National Finance Center \n \n\n     NIST                National Institute of Standards and Technology\n \n\n     NPPD                National Protection and Programs Directorate \n \n\n     OCHCO               Office of the Chief Human Capital Officer \n \n\n\x0cOCIO    Office of Chief Information Officer\nOCISO   Office of Chief Information Security Officer\nOIG     Office of Inspector General\nOMB     Office of Management and Budget\nOPM     Office of Personnel Management\nPOA&M   Plan of Action and Milestones\nPPS     Pay and Personnel System\nTIC     Trusted Internet Connection\nTSA     Transportation Security Administration\nSaaS    Software as a Service\nUSCG    United States Coast Guard\nUSDA    United States Department of Agriculture\nUSSS    United States Secret Service\nWebTA   Web Time and Attendance\n\x0cOIG\n \n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                       As required by the E-Government Act of 2002 and Office of\n                       Management and Budget\xe2\x80\x99s (OMB) government-wide initiatives,\n                       DHS Office of the Chief Human Capital Officer (OCHCO) began\n                       the process, in 2005, to consolidate components\xe2\x80\x99 existing human\n                       resource information systems into five enterprise-wide solutions.\n                       We audited OCHCO to determine the progress DHS has made in\n                       consolidating its component human resource information systems\n                       in its Human Capital Business Systems (HCBS) unit.\n\n                       DHS has made some progress in consolidating its human resource\n                       systems. Specifically, HCBS has successfully migrated\n                       components to the Office of Personnel Management\xe2\x80\x99s (OPM)\n                       Electronic Official Personnel Folder (e-OPF) system and the\n                       United States Department of Agriculture\xe2\x80\x99s (USDA) National\n                       Finance Center (NFC) Pay and Personnel System (PPS). Further,\n                       HCBS has taken steps to coordinate with components to identify\n                       business requirements and system specifications for the\n                       enterprise-wide systems, including EmpowHR, TalentLink and\n                       Web Time and Attendance (WebTA).\n\n                       However, as of February 2010, components have not migrated\n                       from their existing systems to all of the enterprise-wide systems.\n                       In addition, HCBS has not implemented adequate performance\n                       metrics to track the status of the consolidation effort. Further,\n                       enhanced communication and system functionality must be\n                       improved to help facilitate the migration of components to the\n                       department\xe2\x80\x99s enterprise-wide systems. In addition, systems have\n                       been certified and accredited without all documents and security\n                       weaknesses being mitigated timely. Finally, WebTA has not been\n                       certified and accredited according to applicable DHS policy.\n\n                       We are making 11 recommendations to the Chief Human Capital\n                       Officer. OCHCO concurred with all of our recommendations and\n                       has already begun to take actions to implement them. The\n                       department\xe2\x80\x99s response is summarized and evaluated in the body of\n                       this report and included, in its entirety, as Appendix B.\n\n\n Management Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                 Systems Consolidation Effort\n \n\n\n                                             Page 1 \n\n\x0cBackground\n                          In 2005, as part of the E-Government Act, OMB implemented a\n                          government-wide initiative to eliminate redundancy and increase\n                          efficiency in payroll and human resource systems. In response,\n                          HCBS led an effort to consolidate components\xe2\x80\x99 existing human\n                          resource information systems into enterprise-wide solutions aimed\n                          at improving security, efficiency, and consistency across the\n                          department.\n\n                          HCBS is responsible for consolidating more than 144 existing\n                          component human resource systems into flexible enterprise-wide\n                          solutions. While working with components, HCBS is responsible\n                          for program management activities, communication and\n                          coordination, and integration of information technology tasks for\n                          this effort. As part of this initiative, HCBS is in the process of\n                          consolidating component human resource systems into five\n                          enterprise-wide solutions, including: (1) WebTA, (2) NFC PPS, (3)\n                          EmpowHR, (4) TalentLink, and (5) e-OPF system. These systems,\n                          which are also used by other federal agencies, support the\n                          department with core human resource functions, such as records\n                          management, time and attendance, personnel actions, recruitment,\n                          and payroll. Figure 1 provides a brief description of each system.\n\n                          Figure 1-Enterprise-wide Human Resource Solutions\n\n               Name         Function     Owner                           Description\n                            Personnel               System interfaces with the NFC\xe2\x80\x99s Pay and Personnel\n                             Actions/               System. System functions include creation of new job\n             EmpowHR                     USDA\n                            Personnel               codes (master records) and positions, reassignments,\n                             Records                promotions, and awards.\n                                                    System developed as a management solution to handle\n                            Personnel\n               e-OPF                     OPM        official personnel files and simplify employee access to\n                             Records\n                                                    official personnel folders.\n                                                    System used by customer agencies for personnel action\n                             Pay and                processing, position management, benefits processing,\n              NFC PPS                    USDA\n                            Personnel               payroll, payroll accounting, tax reporting, employee debt\n                                                    management, and reporting.\n                                                    System which allows DHS managers and recruiters to\n             TalentLink     Recruiting   DHS\n                                                    facilitate the hiring process.\n                             Time and               Commercial off-the-shelf system used for time and\n              WebTA                      DHS\n                            Attendance              attendance functions.\n\n\n\n\n Management Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                 Systems Consolidation Effort\n \n\n\n                                               Page 2\n \n\n\x0c                       Our audit focused on three systems: TalentLink, WebTA, and\n                       e-OPF. TalentLink, which is a web-based application, is used by\n                       managers, recruiters, and human resource specialists to post job\n                       vacancies, select, follow-up and hire potential job applicants. The\n                       system is contractor owned and operated and most of the\n                       equipment is currently housed at a commercial hosting facility in\n                       New York City, New York. According to HCBS personnel, DHS\n                       will discontinue the use of TalentLink and switch to a different\n                       application in June 2010. WebTA is a web-based, commercial\n                       off-the-shelf time and attendance labor solution. The system\xe2\x80\x99s\n                       functions include electronic approvals, project tracking and\n                       activity-base time reporting, on-line leave requests, part-time\n                       accrual calculations, year-end leave accruals, rollover and leave\n                       transfers. DHS purchased licenses in 2005 and the system is\n                       currently hosted by the USDA NFC in Denver, Colorado. The\n                       e-OPF system is part of OPM\xe2\x80\x99s Enterprise Human Resources\n                       Integration initiative. This system provides government employees\n                       with direct online access to their official human resource and\n                       personnel records.\n\n                       Due to the sensitive nature of the information stored and processed\n                       by these human resource systems, DHS must implement effective\n                       controls to protect personal data from potential misuse. According\n                       to the United States Government Accountability Office, federal\n                       agencies have reported numerous incidents where personally\n                       identifiable information was stolen, lost, or improperly disclosed,\n                       resulting in loss of privacy and identify theft. To safeguard against\n                       stolen or unauthorized disclosure of personal data, OMB requires\n                       federal agencies to ensure that proper safeguards are in place to\n                       protect personally identifiable information.\n\nResults of Audit\n      Actions Taken to Implement Enterprise-Wide Human Resource\n      Systems\n                       DHS has taken actions to consolidate and migrate components\xe2\x80\x99\n                       human resource systems to the department\xe2\x80\x99s enterprise-wide\n                       solutions. For example, HCBS has:\n\n                       \xef\xbf\xbd\t Migrated DHS components to NFC PPS in 2005 and e-OPF in\n                          2008.\n\n\n\n Management Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                 Systems Consolidation Effort\n \n\n\n                                             Page 3 \n\n\x0c                      \xef\xbf\xbd\t Implemented user and test working groups for DHS\n                         components to help identify business requirements and system\n                         specifications.\n\n                      \xef\xbf\xbd\t Certified and accredited TalentLink. Our review of the\n                         certification and accreditation package revealed no significant\n                         deficiencies.\n\n                      \xef\xbf\xbd\t Established memoranda of understanding and interconnection\n                         security agreements with NFC and OPM to define roles and\n                         responsibilities for the management, operation, and security of\n                         system connections.\n\n                      \xef\xbf\xbd\t Implemented effective controls to protect the sensitive data\n                         stored and processed by TalentLink. Our security testing\n                         revealed only a few areas in need of improvement.\n\n                      Despite these actions, DHS faces additional challenges with\n                      implementing all of the enterprise-wide human resource solutions\n                      at its components. For example, many DHS components are\n                      reluctant to adopt the department\xe2\x80\x99s enterprise-wide solutions.\n                      More work remains to ensure that components\xe2\x80\x99 existing human\n                      resource systems are consolidated into the department\xe2\x80\x99s\n                      enterprise-wide solutions.\n\n     Management Oversight Is Needed to Complete the Consolidation\n     of DHS\xe2\x80\x99 Human Resource Systems\n                      DHS has made some progress, but has not completed its human\n                      resource system consolidation effort. Senior DHS officials need to\n                      provide better guidance and oversight to migrate components to\n                      the department\xe2\x80\x99s enterprise-wide human resource solutions.\n                      Component officials stated that system functionality issues and\n                      insufficient communication with HCBS contributed to their\n                      reluctance to migrate. Further, DHS has not restricted its external\n                      internet connections or maintained an accurate inventory of its\n                      human resource systems, preventing the department from\n                      achieving its efficiency objectives. Unless these issues are\n                      addressed, DHS may not be able to achieve its goal of\n                      consolidating and modernizing its human resource systems.\n\n\n\n\nManagement Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                Systems Consolidation Effort\n \n\n\n                                            Page 4 \n\n\x0c                            Components Are Reluctant to Implement Enterprise-Wide\n                            Systems\n\n                            As of February 2010, nine DHS components have not completed\n                            their migration to WebTA, EmpowHR, or TalentLink.1\n                            Component officials indicated that some of the enterprise-wide\n                            solutions do not satisfy their business requirements and the lack of\n                            detailed cost savings information from HCBS has prevented them\n                            from migrating. Consequently, components continue to use their\n                            existing systems in lieu of the DHS enterprise-wide solutions.\n                            Figure 2 summarizes the implementation status for the three\n                            systems.\n\n                            Figure 2-System Consolidation Progress\n\n                                                    TalentLink        EmpowHR              WebTA\n                              Components\n\n                                 CBP              Not Started        Not Started        Not Started\n                                  CIS             Not Started        Not Started        In progress\n                                FEMA              In progress        Not Started         Complete\n                                FLETC             In progress        Complete            Complete\n                                  ICE             In progress        Not Started         Complete\n                                NPPD              In progress        Complete            Complete\n                                 TSA              Not Started        Complete            Complete\n                                USCG              Not Started        Complete            Complete\n                                 USSS             Not Started        Not Started         Complete\n\n                                    Additional Oversight Is Needed\n\n                                    Prior to January 2010, senior DHS officials had not issued\n                                    any guidance to components on its human resource\n                                    consolidation effort. Without the guidance, HCBS could\n                                    not compel all components to migrate towards the\n                                    enterprise-wide solutions. As a result, the progress to date\n\n\n1\n    The nine components are Customs and Border Protection (CBP), Citizenship and Immigration Services\n    (CIS), Federal Emergency Management Agency (FEMA), Federal Law Enforcement Training Center\n    (FLETC), Immigration and Customs Enforcement (ICE), National Protection and Programs Directorate\n    (NPPD), Transportation Security Administration (TSA), United States Coast Guard (USCG), and United\n    States Secret Service (USSS)\n\n\n\n     Management Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n\n                                     Systems Consolidation Effort\n\n\n                                                  Page 5\n\x0c                                   has been limited as some components are reluctant to\n                                   migrate to DHS\xe2\x80\x99 enterprise-wide human resource systems.\n\n                                   On January 15, 2010, the Deputy Secretary issued a\n                                   memorandum tasking OCHCO and Office of Chief\n                                   Information Officer (OCIO) to assemble and integrate a\n                                   project team to rationalize legacy human resource\n                                   processes and systems into a department-wide\n                                   architecture.2 As outlined in the memorandum,\n                                   components are prohibited from spending additional\n                                   funding to purchase new or enhance existing human\n                                   resource systems without the approval from either OCHCO\n                                   or OCIO. The issuance of this memo will help HCBS to\n                                   complete its human resource consolidation effort by\n                                   providing additional oversight authority over components.\n                                   For example, as mandated under the E-Government Act of\n                                   2002 and OPM\xe2\x80\x99s initiatives, HCBS has successfully\n                                   facilitated the migration of NFC PPS and e-OPF throughout\n                                   DHS.\n\n                                   The lack of oversight authority over the components has\n                                   also hindered HCBS\xe2\x80\x99 ability to implement the human\n                                   resource consolidation initiative. For example, HCBS does\n                                   not have the authority to review components\xe2\x80\x99 budgets to\n                                   ensure that adequate resources are available for the\n                                   initiative. According to HCBS personnel, some\n                                   components have not fully engaged in the planning and\n                                   implementation activities required to complete the\n                                   initiative. For example, during the formative stages,\n                                   components are willing to participate and engage in system\n                                   planning and requirements analysis activities. However,\n                                   once HCBS begins the implementation and acquisition\n                                   activities, components often withdraw from the initiative\n                                   stating that: (1) they are not ready to begin the migration\n                                   effort, (2) they do not have sufficient resources to support\n                                   the migration, or (3) the enterprise-wide solutions do not\n                                   meet their mission or business requirements. In addition,\n                                   HCBS personnel have stated that leadership changes at\n                                   OCHCO and components that lead to different\n                                   management priorities have slowed the migration efforts.\n\n\n2\n    DHS Enterprise Human Resources Processes, People, and Technology Memorandum, dated\n    January 15, 2010.\n\n\n\n     Management Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                     Systems Consolidation Effort\n \n\n\n                                                 Page 6 \n\n\x0c                              As part of DHS\xe2\x80\x99 policy for exchanging and sharing internal\n                              information, components are required to standardize the\n                              information technology assets used to access, store,\n                              process, and manage its information. To achieve this goal,\n                              including standardization of its human resources assets,\n                              DHS must provide OCHCO with adequate oversight\n                              authority; otherwise it will be restricted from consolidating\n                              information systems and infrastructure used to support the\n                              department\xe2\x80\x99s human resource operations.\n\n                              Performance Metrics\n\n                              HCBS has not developed adequate performance metrics to\n                              track the overall progress of the consolidation effort.\n                              Performance metrics are used to evaluate the progress of a\n                              program or project and ensure that key milestones and\n                              goals are being achieved.\n\n                              While HCBS has developed performance measures to\n                              evaluate the technical performance of the department\xe2\x80\x99s\n                              enterprise-wide systems, it does not have metrics to track\n                              the overall progress of the initiative. For example, HCBS\n                              keeps current metrics on security incidents, service desk\n                              tickets, and system release data. In addition, HCBS tracks\n                              the number of users and components that have migrated to\n                              the enterprise-wide solutions on a quarterly basis.\n                              However, HCBS has not developed performance metrics to\n                              track the status of component requirements, interim tasks,\n                              or activities that must be completed to ensure that\n                              components successfully migrate to the enterprise-wide\n                              systems.\n\n                              Specific performance metrics can help HCBS track the\n                              overall progress of the implementation effort rather than the\n                              technical performance of individual systems. Examples of\n                              additional performance metrics may include:\n\n                              \xef\xbf\xbd\t Key requirements, milestones and accomplishments\n                                 that have or have not been completed.\n\n                              \xef\xbf\xbd\t Required deliverables or services that have or have not\n                                 been completed.\n\n\n\n\nManagement Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                Systems Consolidation Effort\n \n\n\n                                            Page 7 \n\n\x0c                                        \xef\xbf\xbd   Remaining tasks that must be completed.\n\n                                        Performance metrics aimed at assessing the completion of\n                                        component implementation requirements or activities will\n                                        help HCBS personnel monitor the overall progress of the\n                                        consolidation effort. In addition, such metrics will allow\n                                        HCBS to determine the areas where additional focus is\n                                        required.\n\n                                        OMB requires agencies to implement performance metrics\n                                        for planning, budgeting, and managing federal capital\n                                        assets. These performance metrics should be used to\n                                        monitor and compare expected results with actual\n                                        performance of the project.\n\n                                        Without specific performance metrics, it will be difficult\n                                        for program officials to determine the overall progress of\n                                        the project and whether expected results or outcomes have\n                                        been achieved. In addition, detailed performance metrics\n                                        will provide DHS with the ability to better monitor the\n                                        components\xe2\x80\x99 implementation progress and identify areas\n                                        where improvements should be made.\n\n                                        System Functionality and Communication Can Be\n                                        Improved\n\n                                        Components have cited functionality issues with the\n                                        enterprise-wide systems and insufficient communication\n                                        with HCBS as reasons for not migrating to all of the\n                                        enterprise-wide solutions. For example, some components\n                                        have identified functionality deficiencies with the\n                                        enterprise-wide human resource systems, including issues\n                                        with vacancy announcements and the certification process.3\n                                        In addition, component officials stated that communication\n                                        with HCBS regarding the consolidation effort could be\n                                        improved. Specifically, HCBS should identify detailed\n                                        cost savings to illustrate to components\xe2\x80\x99 the potential\n                                        benefits of migrating to the department\xe2\x80\x99s enterprise-wide\n                                        solutions.\n\n\n\n3\n    The certification process is used by hiring managers to identify a list of the best qualified applicants that\n     may be considered for a vacancy announcement.\n\n\n\n     Management Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                     Systems Consolidation Effort\n \n\n\n                                                       Page 8 \n\n\x0c                                  We met with selected personnel from component human\n                                  resource offices and OCIO to identify possible concerns\n                                  regarding the consolidation effort. Some components have\n                                  indicated that the department\xe2\x80\x99s enterprise-wide solutions do\n                                  not satisfy their business requirements and that they have\n                                  encountered functionality issues with some of the systems.\n                                  Specifically, FEMA and NPPD have encountered issues\n                                  with TalentLink and requested to replace the system with\n                                  another system. FEMA indicated that TalentLink does not\n                                  consistently post vacancy announcements to USAJobs and\n                                  contains too many steps in the certification process.4 This\n                                  cumbersome process has lengthened the amount of time for\n                                  human resource staff to develop certificates containing the\n                                  best qualified candidate lists. Similarly, NPPD stated that\n                                  hiring managers experienced difficulty in reviewing the\n                                  certificates of eligible applicants and often found that other\n                                  critical documents such as resumes were inadvertently\n                                  being removed from job applications. In addition, NPPD\n                                  indicated that it takes nearly three times as long to post a\n                                  vacancy position using TalentLink as in NPPD\xe2\x80\x99s current\n                                  system, USA Staffing. According to HCBS personnel,\n                                  OCHCO is planning to discontinue the use of TalentLink in\n                                  June 2010, as the department is participating in an OPM\n                                  initiative to develop a new recruiting system that better\n                                  suits federal agencies\xe2\x80\x99 needs.\n\n                                  Components also expressed concerns with EmpowHR and\n                                  stated that they will not implement the system until it is\n                                  equal to or better in terms of functionality and cost than\n                                  their current systems. For example, USSS does not plan to\n                                  adopt EmpowHR until HCBS provides sufficient\n                                  information to convey the benefits of retiring HRConnect.5\n                                  TSA has also encountered functionality issues when using\n                                  EmpowHR. For example, when information is edited with\n                                  a front-end system other than EmpowHR, the data changes\n                                  will be updated in NFC\xe2\x80\x99s mainframe computer but not in\n                                  EmpowHR\xe2\x80\x99s database tables. Consequently, the data\n                                  stored in the NFC mainframe and EmpowHR\xe2\x80\x99s database\n                                  tables become inconsistent. As a result, dual entries must\n\n\n4\n  USAJobs is an OPM system used to post job openings for the federal government. It interfaces with\n  TalentLink.\n5\n  HRConnect provides USSS with quick hire staffing solutions and handles personnel transactions.\n\n\n\n    Management Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                    Systems Consolidation Effort\n \n\n\n                                                 Page 9 \n\n\x0c                              be performed to correct the discrepancies which results in\n                              additional costs and time to TSA.\n\n                              HCBS personnel said that they have been working with\n                              NFC to remediate the deficiencies identified by the\n                              components. According to HCBS personnel, they have\n                              stopped deploying EmpowHR at components until the\n                              deficiencies identified are resolved.\n\n                              Finally, four components (CBP, NPPD, TSA and USSS)\n                              said that HCBS has not communicated effectively or\n                              accurately about the potential cost savings of migrating to\n                              the enterprise-wide solutions. As a result, components are\n                              reluctant to replace their current systems with the\n                              department\xe2\x80\x99s enterprise-wide solutions until HCBS\n                              identifies projected cost savings.\n\n                              As part of the E-Government Act, agencies are required to\n                              make use of information technologies, including the\n                              reduction of duplicate and fragmented systems. To meet\n                              this requirement and complete the human resource\n                              consolidation effort, HCBS must continue to work with\n                              components to address the deficiencies in system\n                              functionality. In addition, HCBS must convey the detailed\n                              cost savings to components and provide them with systems\n                              that adequately meet their needs. Unless these tasks are\n                              achieved, DHS cannot complete the consolidation effort.\n\n                      Human Resource System Inventory\n\n                      HCBS has not identified all human resource systems at the\n                      components. Without an accurate inventory of human resource\n                      systems, HCBS cannot determine whether components are using\n                      redundant systems.\n\n                      While HCBS maintains a list of the department\xe2\x80\x99s human resource\n                      systems, it is outdated and inaccurate. According to HCBS\n                      personnel, the inventory list has not been updated since 2007. In\n                      addition, HCBS officials stated that components are not obligated\n                      to respond to HCBS\xe2\x80\x99 information requests to update its inventory\n                      list of human resource systems. As a result, components provided\n                      either limited information or did not respond at all. As of\n\n\n\n\nManagement Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                Systems Consolidation Effort\n \n\n\n                                            Page 10 \n\n\x0c                      December 2009, HCBS\xe2\x80\x99 inventory list identifies 58 unique human\n                      resource systems.\n\n                      In October 2009, we requested components to identify their human\n                      resource systems and to evaluate the accuracy of systems\n                      maintained by HCBS. In response, components identified a total\n                      of 48 human resource systems. We attempted to verify the\n                      information obtained with the system inventory maintained by\n                      DHS OCIO. However, the DHS OCIO inventory does not have an\n                      identifier to distinguish those systems that process human resource\n                      functions, such as records management, time and attendance,\n                      personnel actions, recruitment, and payroll functions. Without the\n                      identifier, we could not evaluate the accuracy of information\n                      obtained. The discrepancy between HCBS\xe2\x80\x99 inventory and the\n                      responses to our data call is an indicator that DHS cannot account\n                      for all of its human resource systems.\n\n                      Components Maintain Network Connections Outside of DHS\n                      Trusted Internet Connections\n\n                      As of March 2010, 5 components maintained 11 external network\n                      connections to NFC that are outside of the DHS trusted internet\n                      connections (TIC). These connections provide users with access to\n                      personnel systems owned and housed at NFC, including WebTA,\n                      EmpowHR, and NFC PPS. Figure 3 provides an overview of the\n                      external connections that are maintained by components.\n\n                      Figure 3-External Connections to NFC\n\n                                                              Number of External\n                                   Component                  Network Connections\n                                  FEMA                                  3\n                                   TSA                                  6\n                                CBP/FLETC                          1 (shared)\n                                  USCG                                  1\n                                  Total                                11\n\n                      We attempted to verify the number of connections with NFC and\n                      components. However, we were unable to reconcile the\n                      differences between the information provided by NFC and the\n                      components. According to an HCBS official, DHS does not have\n                      adequate visibility over its components\xe2\x80\x99 external network\n\n\n\n\nManagement Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n\n                                Systems Consolidation Effort\n \n\n\n                                           Page 11 \n\n\x0c                            connections. However, HCBS is working with OCIO to\n                            consolidate existing component connections.\n\n                            In November 2007, OMB required agencies to consolidate internet\n                            points of presence and reduce external network connections to\n                            improve efficiency and security.6 DHS OCIO aligns OMB\xe2\x80\x99s TIC\n                            initiative with its OneNet consolidation project.7 By allowing\n                            components to maintain their own network connections to NFC, it\n                            contradicts OMB\xe2\x80\x99s TIC and DHS OneNet initiatives to improve\n                            efficiency and security by reducing the internet points of presence.\n                            These connections increase the number of internet points of\n                            presence and may pose a security risk to department data if\n                            security controls are inadequate.\n\n                    Recommendations:\n                            We recommend that the OCHCO direct HCBS to:\n\n                            Recommendation #1: Develop specific performance metrics to\n                            help track the overall progress of the consolidation effort.\n\n                            Recommendation #2: Improve communication and coordination\n                            with components to address system functionality issues and convey\n                            detailed cost savings for system migration.\n\n                            Recommendation #3: Work with DHS OCIO and components to\n                            identify and track all human resource systems.\n\n                            Recommendation #4: Coordinate with OCIO to ensure that\n                            components comply with OMB TIC and DHS OneNet initiatives\n                            to reduce internet points of presence for human resource\n                            connectivity.\n\n                    Management Comments and OIG Analysis\n                            DHS concurred with recommendation 1. OCHCO indicated that,\n                            with the change in leadership and direction, it is currently revising\n                            the OMB Exhibit 300, operational plan, and program metrics.\n\n6\n    OMB memorandum 08-05, Implementation of Trusted Internet Connections, dated November 20, 2007.\n7\n    The purpose of OneNet is to consolidate and standardize a network architecture and improve cost\n    effectiveness across the enterprise. OneNet will eventually integrate with component wide area networks\n    to reduce the number of fragmented component networks and provide DHS with a secure, in-house global\n    communications solution with centralized management and configuration capabilities.\n\n\n\n     Management Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                     Systems Consolidation Effort\n \n\n\n                                                   Page 12 \n\n\x0c                      We agree that the steps that DHS is taking, and plans to take, begin\n                      to satisfy this recommendation. This recommendation will remain\n                      open until DHS provides documentation to support that all planned\n                      corrective actions are completed.\n\n                      DHS concurred with recommendation 2. In its response, OCHCO\n                      indicated that project teams are working with component\n                      functional experts to define and develop requirements.\n                      Furthermore, HCBS is currently reworking the intake and change\n                      control process to better accommodate changes and requests in\n                      real-time. Improved metrics capability will also enhance\n                      OCHCO\xe2\x80\x99s ability to consistently deliver cost data during different\n                      stages of the project. Finally, a strategic Human Resources\n                      Information Technology Council is also being established to\n                      improve communication and component feedback.\n\n                      We agree that the steps that DHS is taking, and plans to take, begin\n                      to satisfy this recommendation. This recommendation will remain\n                      open until DHS provides documentation to support that all planned\n                      corrective actions are completed.\n\n                      DHS concurred with recommendation 3. OCHCO responded that\n                      it will work with OCIO to create a unique identifier within the\n                      department\xe2\x80\x99s system inventory tool to identify human resources\n                      systems.\n\n                      We agree that the steps that DHS is taking, and plans to take, begin\n                      to satisfy this recommendation. This recommendation will remain\n                      open until DHS provides documentation to support that all planned\n                      corrective actions are completed.\n\n                      DHS concurred with recommendation 4. In its response, OCHCO\n                      indicated that OCHCO and OCIO are working with components to\n                      determine the business requirements and bandwidth usage, and to\n                      identify and implement the appropriate type and set of DHS\n                      OneNet connections that are required to process NFC payroll and\n                      personnel transactions.\n\n                      We agree that the steps that DHS is taking, and plans to take, begin\n                      to satisfy this recommendation. This recommendation will remain\n                      open until DHS provides documentation to support that all planned\n                      corrective actions are completed.\n\n\n\nManagement Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                Systems Consolidation Effort\n \n\n\n                                            Page 13 \n\n\x0c     Enhancements Can Be Made to TalentLink\xe2\x80\x99s Technical Controls\n                      Overall, the controls implemented on TalentLink were effective to\n                      protect the sensitive data stored and processed by the system. Our\n                      evaluation included testing for vulnerabilities on the database and\n                      selected servers and network devices for compliance with DHS\n                      guidance. In addition, we manually reviewed system\n                      configurations and interviewed system administrators on system\n                      management processes. Our security testing and analysis revealed\n                      that improvements can be made to administrator account\n                      management, system management procedures, and configuration\n                      settings. DHS needs to address these issues to reduce the security\n                      risks to its human resource systems.\n\n                      Administrator Accounts are Inadequately Managed\n\n                      DHS has not implemented effective controls on administrator\n                      accounts to ensure that they are granted with the least privileges to\n                      perform their job functions. In the event of a security incident, the\n                      scope of potential damage to the system increases as users are\n                      granted excessive access privileges. A security incident targeting\n                      an administrator account might include an authorized user abusing\n                      his or her access or exploitation from an outsider gaining\n                      unauthorized control of an account. For example:\n\n                      \xef\xbf\xbd\t Administrators\xe2\x80\x99 connections to servers are not timed out after\n                         more than 30 minutes of inactivity. In most cases, these\n                         accounts are not locked out until after 60 minutes or 24 hours\n                         of inactivity. According to system administrators, this\n                         extended log-in time is needed to keep administrative tasks\n                         active for extended periods of time, such as file transfers to the\n                         logging server. An HCBS official indicated that the system is\n                         intentionally misconfigured for the convenience of\n                         administrative tasks. OMB requires that remote users\n                         accessing personally identifiable information be\n                         re-authenticated after 30 minutes of inactivity. DHS requires\n                         that user sessions be terminated after 60 minutes of inactivity\n                         to protect sensitive data.\n\n                      \xef\xbf\xbd\t The Oracle remote login password file is in use, which allows\n                         remote administrators to automatically authenticate to the\n                         database without entering username and password. According\n                         to an HCBS official, this is an oversight that the remote login\n\n\n\nManagement Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n\n                                Systems Consolidation Effort\n\n\n                                           Page 14\n\x0c                          password file is still in use. DHS requires that the Oracle\n                          remote login password file be disabled to enforce server-based\n                          authentication of users connecting to the database.\n\n                      \xef\xbf\xbd\t Six accounts have been granted the elevated CREATE ANY\n                         LIBRARY privilege in the Oracle database, while there are\n                         only two database administrators for TalentLink. The\n                         CREATE ANY LIBRARY privilege allows an Oracle user to\n                         define a library, or code and data. An attacker could use it to\n                         access the operating system. HCBS officials could not provide\n                         an explanation why the other four accounts were granted the\n                         elevated privilege. Database administrators are granted\n                         privileges to create new databases and alter and delete data.\n                         DHS requires that access permissions including CREATE\n                         ANY LIBRARY be restricted to database administrators.\n                         Further, DHS requires that users\xe2\x80\x99 access be restricted to the\n                         least privilege to perform job duties.\n\n                      Elevated access to system resources and data should be limited and\n                      managed appropriately. Without effective measures to restrict\n                      access to servers and sensitive data, DHS may be at risk of an\n                      individual engaging in fraudulent or malicious behavior resulting\n                      in unauthorized alteration, loss, unavailability, or disclosure of\n                      information.\n\n                      Patch and Privileged Account Management Processes\n\n                      The procedures for patch management and privileged account\n                      management processes have not been developed for TalentLink.\n                      DHS requires that a policy be developed to define the roles and\n                      responsibilities of the patch management process and deployment\n                      status. DHS also requires that user access be documented in access\n                      control policies and procedures. Both tasks are controlled by\n                      HCBS personnel who considered formal, step-by-step directions\n                      unnecessary.\n\n                      Documenting processes will help personnel identify, understand,\n                      and consistently implement requirements, minimizing the risk of\n                      human error. In the event of staffing or contract changes, patching\n                      and privileged account management processes may be neglected\n                      due to lack of documented procedures. Unmanaged privileged\n                      accounts and missing patches leave the system at risk of user abuse\n                      and external cyber attack.\n\n\n\nManagement Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                Systems Consolidation Effort\n \n\n\n                                            Page 15 \n\n\x0c                      Process for Destruction of Personally Identifiable Information\n                      Extracts\n\n                      HCBS has not implemented a process for destroying\n                      computer-readable personally identifiable information extractions.\n                      Specifically, TalentLink allows users to extract personal\n                      information in the form of reports on various hiring statistics and\n                      information. OMB requires that agencies ensure\n                      computer-readable data extracts that contain personally identifiable\n                      information be erased within 90 days or when no longer needed.\n                      However, HCBS staff considers that it would be infeasible to\n                      ensure that all personal information extractions are erased as users\n                      are spread throughout DHS and cannot operate without reports.\n\n                      Enforcing the destruction of personally identifiable information\n                      extractions helps reduce the amount of sensitive data that is\n                      physically removed from department locations or that is accessed\n                      remotely. Destroying extracts also prevents misuse of sensitive\n                      data.\n\n                      Database and Server Configuration\n\n                      The TalentLink Oracle database and servers are not configured\n                      according to DHS policy. We identified deficiencies in\n                      configuration settings that may lead to unauthorized misuse of\n                      sensitive data. Specifically:\n\n                      \xef\xbf\xbd\t Audit trails are not enabled on the Oracle database to track user\n                         account activity. DHS requires that audit trails be enabled to\n                         capture detailed user activity records in the database. User\n                         access, use of system privileges, and changes to the database\n                         should be logged to help investigate and reconstruct future\n                         security incidents.\n\n                      \xef\xbf\xbd\t A contractor\xe2\x80\x99s warning banner is used instead of the required\n                         DHS banner during server logins. DHS requires that a specific\n                         login warning banner be displayed when connecting to a\n                         system to remind users of their responsibilities in using\n                         government-owned equipment.\n\n                      \xef\xbf\xbd\t A high-risk vulnerability that has been identified since 2004\n                         was found on an application server. The JBoss software\n                         running on the application server is configured in a way that\n\n\n\nManagement Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n\n                                Systems Consolidation Effort\n\n\n                                           Page 16\n\x0c                                 allows unauthenticated access to certain administrative\n                                 functions of the software.8 A remote attacker could exploit the\n                                 vulnerability to disclose sensitive information or take control of\n                                 JBoss. DHS requires that software patches be applied in a\n                                 timely manner to protect the system from known exploits.\n\n                             Audit trails are essential to the investigation and reconstruction of\n                             security incidents. In particular, access to personal data in the\n                             Oracle database should be closely tracked, with all actions tied to\n                             individual users. The lack of audit trails combined with excessive\n                             privileges granted to database users puts the system at significant\n                             risk of data misuse. Violations could go unnoticed or may not be\n                             traceable to individual users once discovered.\n\n                             Memorandum of Agreements With Other Agencies\n\n                             While HCBS has established memorandum of agreements with\n                             NFC and OPM, the agreements do not contain terms that will\n                             allow DHS and OIG unrestricted access to system specific\n                             resources, such as vulnerability scan results, appropriate technical\n                             staff, and information related to system connections between NFC\n                             and DHS. Unrestricted access to the information is essential to\n                             verify that effective controls have been implemented on DHS\xe2\x80\x99\n                             human resource systems that are owned and operated by other\n                             agencies.\n\n                             As part of our original audit scope, we planned to perform security\n                             testing to evaluate the effectiveness of controls implemented on all\n                             enterprise-wide systems. However, USDA and OPM personnel\n                             were reluctant to provide us with access to the information for the\n                             systems selected for review, i.e., NFC testing results, connections\n                             between NFC and components. The limitations restricted our\n                             ability to perform planned security testing. For example, NFC\n                             indicated that the agency does not plan to allow other federal\n                             agencies to perform security testing on systems that it maintains.\n\n                             Without such access, HCBS cannot ensure that security tests are\n                             being performed periodically and that effective controls have been\n                             implemented on its human resource systems. Unless HCBS\n                             revises its existing memoranda of agreement to include the\n                             provisions for unrestricted access to system specific information,\n\n8\n    JBoss is a software framework for an application server that supports Java application development.\n\n\n\n     Management Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                     Systems Consolidation Effort\n \n\n\n                                                    Page 17 \n\n\x0c                      DHS cannot guarantee that all applicable security requirements\n                      have been met for its human resource systems which are owned\n                      and operated by other agencies.\n\n             Recommendations:\n                      We recommend that the OCHCO direct HCBS to:\n\n                      Recommendation #5: Develop policies for patch management,\n                      privileged account management, and the destruction of personal\n                      data extracts for TalentLink.\n\n                      Recommendation #6: Restrict TalentLink administrator access\n                      permissions by granting the least privileges needed to perform job\n                      functions in accordance with applicable OMB and DHS policy.\n\n                      Recommendation #7: Configure TalentLink\xe2\x80\x99s database and\n                      servers according to DHS policy.\n\n                      Recommendation #8: Revise existing memoranda of\n                      understanding with other agencies to ensure that system specific\n                      information is available to HCBS and the OIG.\n\n             Management Comments and OIG Analysis\n                      DHS concurred with recommendation 5. OCHCO commented\n                      that, due to the Software as a Service (SaaS) provision of\n                      TalentLink, the patch management and privileged account\n                      management processes are owned by the application provider.\n                      HCBS reviewed these processes and validated they were consistent\n                      with DHS requirements. However, to be consistent with DHS\n                      policy, OCHCO concurred that HCBS should have drafted\n                      TalentLink-specific patch management and privileged account\n                      management SOPs and utilized the application provider documents\n                      as the basis. Since OCHCO will discontinue the use of TalentLink\n                      in June 2010, HCBS does not plan to create a Plan of Action and\n                      Milestones (POA&M) to develop policies for a system that will\n                      soon be retired.\n\n                      Regarding personal data extracts, OCHCO responded that while\n                      the protection of computer-readable extracts containing personally\n                      identifiable information was incorporated in DHS guidance before\n                      TalentLink went live, the implementation directive was not\n\n\n\nManagement Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n\n                                Systems Consolidation Effort\n\n\n                                           Page 18\n\x0c                      published until July 31, 2009. Thus, HCBS was not able to\n                      complete a thorough analysis to determine what computer-readable\n                      extracts (routine or ad hoc) would be utilized by the system prior to\n                      the decision to decommission the system. All users of the system\n                      are required to complete annual Computer Security Awareness\n                      Training and Privacy Training, so users are trained in the proper\n                      handling of personally identifiable information.\n\n                      We agree that the steps that DHS is taking, and plans to take, begin\n                      to satisfy this recommendation. This recommendation will remain\n                      open until DHS provides documentation to support that all planned\n                      corrective actions are completed.\n\n                      DHS concurred with recommendation 6. Regarding the\n                      Administrator\xe2\x80\x99s Connections and Oracle Remote Login Password\n                      File, OCHCO responded that due to the SaaS provision of this\n                      system, certain configurations are beyond the control of DHS.\n                      OCHCO was aware of this issue, but the application provider was\n                      not willing to change the settings as it would cause undue burden\n                      on the application\xe2\x80\x99s operating capability. Due to the fact that the\n                      TALENTLink system is being decommissioned and will be\n                      shut-down on June 26, 2010, HCBS does not plan to create a\n                      POA&M to correct the deficiency.\n\n                      Regarding the elevated Oracle Accounts, OCHCO responded that\n                      there are a total of eight accounts, comprised of two database\n                      administrators and six users, with the \xe2\x80\x9cCREATE ANY LIBRARY\xe2\x80\x9d\n                      privilege. The six user accounts must exist on each of the\n                      application provider databases so that the application can be\n                      operated correctly and, since the six users do not require full\n                      database administrator access, limiting these accounts to this\n                      privilege is actually more restrictive and in-line with the concept of\n                      Least Privilege. The alternative would be to grant these six users\n                      full DBA access, but this would give them more privileges than\n                      required.\n\n                      We agree that the steps that DHS is taking, and plans to take, begin\n                      to satisfy this recommendation. This recommendation will remain\n                      open until DHS provides documentation to support that all planned\n                      corrective actions are completed.\n\n                      DHS concurred with recommendation 7. Regarding the audit trails\n                      and warning banner findings, OCHCO responded that due to the\n\n\n\nManagement Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n\n                                Systems Consolidation Effort\n\n\n                                           Page 19\n\x0c                      SaaS provision of TalentLink, certain configurations are beyond\n                      the control of DHS. Although the Oracle Hardening guide is not\n                      strictly adhered to, there are other tracking capabilities built into\n                      the application to allow auditing. Additionally, although the\n                      proper warning banner is not provided when logging on locally to\n                      the server, the proper DHS warning and privacy banners are\n                      provided for all users and candidates accessing the system.\n                      According to OCHCO, HCBS was aware of these issues, but the\n                      application provider was not willing to change the settings because\n                      it would cause undue burden on the application\xe2\x80\x99s operating\n                      capability. Since OCHCO will discontinue the use of TalentLink\n                      in June 2010, HCBS does not plan to create a POA&M to correct\n                      the deficiencies for a system that will soon be retired.\n\n                      Regarding the JBoss vulnerability, OCHCO commented that the\n                      weakness was identified prior to the OIG scan. Subsequently, a\n                      new system build was subsequently required for TalentLink.\n                      However, the new system build was not consistently deployed\n                      prior to the OIG scan. The vulnerability has since been remediated\n                      in all zones.\n\n                      We agree that the steps that DHS is taking, and plans to take, begin\n                      to satisfy this recommendation. This recommendation will remain\n                      open until DHS provides documentation to support that all planned\n                      corrective actions are completed.\n\n                      DHS concurred with recommendation 8. OCHCO responded that\n                      while OCHCO agrees with the intent of the recommendation, DHS\n                      policy does not support the performance or security testing on\n                      another agency\xe2\x80\x99s IT systems. Based on DHS policy, the\n                      connection is to be well-documented with emphasis on the\n                      responsibilities of the two organizations including maintaining a\n                      valid authority to operate, incident reporting, training and\n                      awareness, etc. OCHCO will include specific language in future\n                      Memoranda of Agreement/Understanding to document mutual\n                      responsibility and roles for security systems.\n\n                      We agree that the steps that DHS is taking, and plans to take, begin\n                      to satisfy this recommendation. This recommendation will remain\n                      open until DHS provides documentation to support that all planned\n                      corrective actions are completed.\n\n\n\n\nManagement Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                Systems Consolidation Effort\n \n\n\n                                            Page 20 \n\n\x0c     Certification and Accreditation Deficiencies Identified in Human\n     Resource Systems\n                      HCBS has not ensured that all OMB and DHS security\n                      requirements are met on its enterprise-wide human resource\n                      systems. Specifically, e-OPF has been certified and accredited\n                      without all required security documents. In addition, while\n                      POA&Ms are being created to track and identify security\n                      weaknesses, the corrective actions for one third of the POA&Ms\n                      are more than 90 days past due. Further, WebTA has not been\n                      certified and accredited in accordance with applicable DHS policy.\n\n                      Certification and Accreditation Documentation is Incomplete\n\n                      Our review of the e-OPF certification and accreditation packages\n                      revealed that not all of the required security documents have been\n                      developed. For certification and accreditation purposes, OPM\n                      divided e-OPF into: (1) a front end application, (2) the Chantilly\n                      Scanning Facility, and (3) the Ashburn Data Center systems. We\n                      reviewed the accreditation packages for the e-OPF front-end\n                      application and Chantilly Scanning Facility for compliance with\n                      applicable OMB and National Institute of Standards and\n                      Technology (NIST) guidance. Configuration management plans\n                      were not developed for either system. Configuration management\n                      plans provide guidance to ensure that any subsequent change to a\n                      system is approved and that all recommended and approved\n                      security patches are properly installed.\n\n                      Agencies are required to certify and accredit their systems in\n                      accordance with OMB and NIST guidance, including all security\n                      artifacts. Certification and accreditation requirements must also be\n                      satisfied for systems owned and operated by outside agencies or\n                      contractors.\n\n                      According to HCBS officials, they have tried to maintain\n                      appropriate adherence to certification and accreditation standards\n                      for systems that are owned and operated by contractors including\n                      e-OPF, WebTA, and TalentLink. However, they have had\n                      difficulty in performing continuous monitoring functions, detailed\n                      reviews, and yearly site visits on contractor systems due to limited\n                      staffing. Further, HCBS relies solely on its yearly site visits to\n\n\n\n\nManagement Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n\n                                Systems Consolidation Effort\n\n\n                                           Page 21\n\x0c                      ensure that human resource systems comply with certification and\n                      accreditation package protocol and guidance.\n\n                      Without configuration management plans, program officials cannot\n                      ensure that e-OPF has been properly configured and that security\n                      patches are applied periodically. Therefore, DHS has limited\n                      assurance that the sensitive information of its employees is secured\n                      in accordance with applicable policies.\n\n                      Security Weaknesses Are Not Being Mitigated In a Timely\n                      Manner\n\n                      Security weaknesses in e-OPF POA&Ms are not being maintained\n                      or mitigated in a timely manner. As of February 22, 2010, the\n                      corrective actions for 28 of 110 POA&Ms are more than 90 days\n                      overdue. In addition, 21 of these overdue POA&Ms are more than\n                      one year past due and four are classified as \xe2\x80\x9ccritical\xe2\x80\x9d. Critical\n                      security weaknesses should be mitigated in a timely manner to\n                      ensure that they cannot be exploited to gain unauthorized access to\n                      the system.\n\n                      Agencies are required to create POA&Ms for all known security\n                      weaknesses that cannot be immediately mitigated. In addition,\n                      POA&Ms are part of the continuous monitoring process to ensure\n                      that security weaknesses are mitigated timely. Further, OMB\n                      requires POA&Ms be prioritized in varying levels of criticality\n                      depending on how management categorizes the weakness in order\n                      to efficiently and effectively protect systems.\n\n                      Without the timely mitigation of POA&Ms, agencies cannot\n                      ensure that security weaknesses are properly addressed before they\n                      can be exploited. Security weaknesses not mitigated timely may\n                      expose the personal data of DHS employees.\n\n\n\n\nManagement Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                Systems Consolidation Effort\n \n\n\n                                            Page 22 \n\n\x0c                           WebTA Has Not Been Certified and Accredited in Accordance\n                           with DHS Policy\n\n                           As of March 2010, WebTA had not received the authority to\n                           operate in accordance with DHS policy. For Federal Information\n                           Security Management Act reporting purposes, the Office of Chief\n                           Information Security Officer (OCISO) reviews accreditation\n                           packages for all systems in the systems inventory for compliance\n                           with applicable DHS and NIST guidance. Without the OCISO\xe2\x80\x99s\n                           validation of certification and accreditation artifacts, a system\n                           operates without authority.\n\n                           WebTA was originally certified and accredited by NFC in October\n                           2006. In August 2009, HCBS and NFC agreed that DHS should\n                           certify and accredit the system as the department owns the WebTA\n                           licenses and data. Specifically, HCBS purchased the license for\n                           WebTA in 2005 for $1,000,000 and pays the annual maintenance\n                           cost of $802,000.9 Subsequently, the WebTA authorizing official\n                           certified and accredited the system in October 2009.10 However,\n                           security personnel from the Management Directorate disagreed\n                           with the assessment and removed WebTA from DHS OCIO\xe2\x80\x99s\n                           systems inventory in October 2009. Security personnel from the\n                           Management Directorate indicated that DHS does not have control\n                           over WebTA because it is hosted on NFC\xe2\x80\x99s infrastructure,\n                           preventing them from performing detailed tests or configurations.\n                           As a result of WebTA\xe2\x80\x99s exclusion from DHS\xe2\x80\x99 system inventory,\n                           OCISO has not recognized the system\xe2\x80\x99s authority to operate.\n                           However, this exclusion is not justified. WebTA should be\n                           included in OCIO\xe2\x80\x99s system inventory because the department owns\n                           the WebTA license and is responsible for protecting the personal\n                           data of its 180,000 employees.\n\n                           According to DHS inventory guidance, a system\xe2\x80\x99s owner is based\n                           primarily on system ownership and funding, which HCBS is\n                           responsible for since the deployment of the system. According to\n                           applicable OMB and DHS guidance, information systems are to be\n                           accounted for in agencies\xe2\x80\x99 inventory and must be authorized to\n                           operate.\n\n\n9\n   Annual maintenance estimate was determined by averaging DHS\xe2\x80\x99 WebTA maintenance cost over a\n   five-year period.\n10\n   An authorizing official assumes responsibility for operating an information system at an acceptable level\n   of risk.\n\n\n\n    Management Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                    Systems Consolidation Effort\n \n\n\n                                                  Page 23 \n\n\x0c             Recommendations:\n                      We recommend that the OCHCO direct HCBS to:\n\n                      Recommendation #9: Establish a process to ensure that all\n                      contractor owned and operated human resource systems are\n                      certified and accredited according to applicable OMB and NIST\n                      guidance. In addition, all required security documents must be\n                      developed according to applicable OMB and NIST guidance, and\n                      security weaknesses identified must be mitigated timely.\n\n                      Recommendation #10: Strengthen the department\xe2\x80\x99s monitoring\n                      oversight of POA&Ms for non-DHS human resource systems.\n\n                      Recommendation #11: Certify and accredit WebTA to operate\n                      according to applicable OMB, NIST, and DHS guidance.\n\n             Management Comments and OIG Analysis\n                      DHS concurred with recommendation 9. According to OCHCO,\n                      the human resources systems cited in the report are considered\n                      External Information Systems (EIS). These systems are managed\n                      by another government agency and are provided as a paid service\n                      for DHS use. The responsibility for performing certification and\n                      accreditation on these systems is solely that of the host government\n                      agency. OCHCO will strengthen the Memorandum of\n                      Agreements/Understanding between the other government\n                      agencies to clearly delineate the responsibility for the systems to be\n                      squarely on the host government agency and that results are\n                      available to OCHCO.\n\n                      We agree that the steps that DHS is taking, and plans to take, begin\n                      to satisfy this recommendation. This recommendation will remain\n                      open until DHS provides documentation to support that all planned\n                      corrective actions are completed.\n\n                      DHS concurred with recommendation 10. OCHCO responded that\n                      the human resources systems cited in the report are considered\n                      EIS. These systems are managed by another government agency\n                      and are provided as a paid service for DHS use. The responsibility\n                      for security and management of these systems is solely that of the\n                      host government agency. The POA&M deficiencies noted in this\n                      report are not DHS specific, and OPM has made significant\n\n\n\nManagement Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n\n                                Systems Consolidation Effort\n \n\n\n                                           Page 24 \n\n\x0c                      progress in closing more than 100 POA&Ms noted during prior\n                      year assessments of the systems.\n\n                      We agree that the steps that DHS is taking, and plans to take, begin\n                      to satisfy this recommendation. This recommendation will remain\n                      open until DHS provides documentation to support that all planned\n                      corrective actions are completed.\n\n                      DHS concurred with recommendation 11. OCHCO responded that\n                      WebTA is currently being recorded in the OCIO inventory as an\n                      EIS. The system is managed by USDA as part of their mandate to\n                      be a provider of this type of service for other government agencies.\n                      The responsibility for security and management of this system is\n                      clearly delineated as USDA\xe2\x80\x99s responsibility. However, OCHCO\n                      noted that HCBS must decide whether to accept the NFC line of\n                      software codes. The decision will determine whether NFC or DHS\n                      should assume the ownership as well as the responsibility to certify\n                      and accredit the system. Currently, HCBS is working with OCIO\n                      to have the issue resolved.\n\n                      We agree that the steps that DHS is taking, and plans to take, begin\n                      to satisfy this recommendation. This recommendation will remain\n                      open until DHS provides documentation to support that all planned\n                      corrective actions are completed.\n\n\n\n\nManagement Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                Systems Consolidation Effort\n \n\n\n                                            Page 25 \n\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n                        The objective of our review was to determine whether DHS has\n                        developed a program to improve the efficiency, effectiveness, and\n                        consistency of its human resource systems. Specifically, we\n                        determined whether: (1) DHS has developed an adequate strategy\n                        to consolidate components\xe2\x80\x99 existing human resource systems into\n                        an enterprise-wide solution; (2) DHS has implemented effective\n                        physical and system security controls to protect sensitive\n                        information stored and processed by its human resource systems;\n                        and (3) the enterprise-wide system, including those owned and\n                        operated by other agencies, were certified and accredited in\n                        accordance with applicable guidance.\n\n                        We interviewed selected personnel from DHS OCHCO, USDA\n                        NFC, major components, Department of the Treasury Bureau of\n                        Public Debt in Parkersburg, West Virginia and at one contractor\n                        facility in New York City, New York. Further, we reviewed and\n                        evaluated DHS\xe2\x80\x99 security policies and procedures, system project\n                        plans, technical descriptions, certification and accreditation\n                        packages, and other appropriate documentation. In addition, we\n                        reviewed USDA\xe2\x80\x99s Statement on Auditing Standards No. 70 Report\n                        on National Finance Center General Controls - Fiscal Year 2009\n                        to ensure NFC systems were certified and accredited and no major\n                        deficiencies were identified. We used software tools, Nessus and\n                        DBProtect, to detect, analyze, and evaluate the effectiveness of the\n                        security controls implemented on selected human resource systems\n                        to identify known security vulnerabilities and evaluate whether\n                        systems are properly configured in accordance with applicable\n                        guidance. Due to limitations for systems owned and operated by\n                        other agencies, we only performed security testing on TalentLink.\n\n                        We conducted this audit between October 2009 and April 2010\n                        according to generally accepted government auditing standards.\n                        Those standards require that we plan and perform the audit to\n                        obtain sufficient, appropriate evidence to provide a reasonable\n                        basis for our findings and conclusions based on our audit\n                        objectives. We believe that the evidence obtained provides a\n                        reasonable basis for our findings and conclusions based on our\n                        audit objectives. Major OIG contributors to the audit are identified\n                        in Appendix C. The principal OIG points of contact for the audit\n                        are Frank W. Deffer, Assistant Inspector General, Information\n                        Technology Audits, at (202) 254-4100, and Chiu-Tong Tsang,\n                        Director, Information Security Audit Division, at (202) 254-5472.\n\n\n\n  Management Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                  Systems Consolidation Effort\n \n\n\n                                              Page 26 \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n                                                                                            qJb . . . OI<f_c...... ~.\n                                                                                            11.s.ll<Jooo~<tfIl_.. s...nr,\n\n\n\n\n                                                                              .\n                                                                                            .....- - - . UC lG\'21\n\n\n\n\n                                                                         \xe2\x80\xa2.\n                                                                              ,\n                                                                                  ".,\n                                                                                        \'   Homeland\n                                                                                            Security\n\n            MEMORANDUM FOR:                Riehard L SkinncT\n                                           Inspector <kneral\n\n            FROM:                          Jef1Tcy R. Nea\'~"1U-.....Q \' - -\n                                           Chief Human &;b.J~~\n            SUBJECT:                       Response to OIG Draft Report - MatIQgen~nl o."ersighl and\n                                           Compomml Participafion ore Nuessary 10 CompJele DHS flr/mon\n                                           ResollN:f\'S SySII.\'ms ColtSoliJolion J\xc2\xa3ffori - FOUO\n\n\n            This memorandum responds to thc Oflicc of Inspector General (DIG) draft report entitled,\n            Management O\\"l!rs;gll1 onJ Compul1e/1/ l\'articipU/iol1 are !VeceS5tlry 10 Comple\'" DIlS Ill/mmr\n            Resollrces S)\'!I/ems ConsoliJal;on Efforl- FOVO, dated April 2010, I concur with the II\n            IttOmmmdaliOl1S outlined in the report, The follo\\\\lng response outlines actions 10 address these\n            recommendations.\n\n            One ofttlc systems which was re\\\'lewed during this audit. TAl..f1>,\'TLink. is bcing decommissioned\n            cfreeth\'e 26 June 2010. This action "u taken at my direction. 1lJc Dcpanmcnt is partncring "ith\n            OPM on futW"C entaprisc hiring Systclll solutions.\n\n            Rccommcndation I - Concur\n            With the change in lead<-rship and direction. the 01f1CC of the Ch~fHuman Capital Officer\n            (OCHCO) is currently fe\',\'ising the OMIl 300. operational plan.. and program metrics.\n\n            Recommmdation 2 - Concur\n            Projecl teams work with functional experts from components to define and develop requirements,\n            The Human Capital Business S)\'stems (HCIlS) tcam ofOCHCO is currently reworking the intake\n            and change control process to better accommodate changes and requests in real\xc2\xb7time, Improved\n            metrics capability (from Ill, above) "\'ill also improve our ability to consistently deliver COSt data at\n            all stages ofche project, A strategic lIRIT council is also being established to improve\n            commW1ieation and component feedback.\n\n            RC\'COllllI\'lCtIltion J - Concur\n            OCHCO "111 continuc to ....\'Od: "lth OCIO to create a W1iquc identifier within the Department\'s\n            Inventor)\' Tool to specify human resources s)\'stems.\n\n            Recommendation" . Concur\n            QCHCO and OCIO. to include DHS OrleNe!. have agreed to wort "lth DHS componcnl5to\n            dctcrmillC business requirements. band..... idth usage. and 10 identify and implementthc appropriate\n\n\n\n\n  Management Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                  Systems Consolidation Effort\n \n\n\n                                                         Page 27 \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n            I)Jle and SCi ofDHS OrleNet MPLS VPN OOIlne<:lions required for National Finance Center\n            payroll and personnel processing.\n\n            Recommendation S - Concur\n            Patch Management & Privileged Account Management SOPs: Due to the Softwan: as a Service\n            (SaaS) provision of this system. Patch Management and Privileged Account Management\n            processes are owned by the application pro\\\'ider. DHS reviewed these processes and \\\'alidated\n            they were consistent with DHS requirements. Howe\\\'er. (() be consistent with DHS polic)\', HCBS\n            should have drafted TALENTLink-specific Palch Management and Privi~ Aceount\n            Managemenl SOPs and utilized the application pro\\\'ider documents as the basis, Due (() the f(ttt\n            that the TALENTLink S)\'stern is being deconunissioned and will be shut-<!own on 26 June: 2010.\n            we do 00( recommend the creation ofa POA&M.\n\n            PI1 Data Extracts: Allhough protection ofcomputer-readable extracts containing SPlI was\n            incorpor,lted in OI\'IS guidance before TALENTLink went livc. the implememation directive was\n            not published until 31 July 2009, Thus, HCBS was not able to complete a thorough analysis to\n            determine what CREs (routine or ad hoc) would be utilized by the system prior to the dedsionto\n            decommission the s)\'stern. All lISen of the s)\'stem are required to complete annual Computer\n            Security AwamleS$ Training and PII Training. so users are trained in the proper handling of PI!.\n\n            Recommendation 6 \xe2\x80\xa2 Concur\n            Administrator\'s Conneclions and Oracle Remote Login Password File: Due to the SallS\n            pro\\\'ision ofthis system. eenain configurations are beyond the control ofDHS, We were aware\n            of this issue. but the appliC<ltion provider was not willing to change the settings bcl::ause it would\n            cause undue burden on the application\'s operating capability. Due to the fact that the\n            TALENTLink system is being decommissioned and will be shut-down on 26 June 2010. we do\n            not recommend the creation ofa POA&M.\n\n            EIe\\lIted Oracle AlXOUIlts: There are a tota1 of eight acwunts. comprised oftwo DBAs and six\n            l15trS.with the "\'CREATE ANY LIBRARY- privilege. The six user accounts must exist on each\n            of the applicalion pro\\idcT databases so that the application can be operated COI\'T\xc2\xabtly and. since\n            the six users do not require full DBA access.. limiting these accounts 10 this privilege is actually\n            more restrictive and in-line with the concept of Least Privilege. Thc alternative would be to gran1\n            thcse six users fuJI DBA access, bU1this would give thcm more privileges than required.\n\n            RC\'Commendation 7 - Concur\n            Audit Trails and Warning Banner: Due to the saaS provision of this S)\'stem. certain\n            configurations are be~\'ond the control ofOHS, Although the Oracle Hardening guide is 00(\n            strictly adhered to. there are otheT tracking capabilities buill into the application to allow\n            auditing, Additionally. although the proper warning banner is not prO\\ided whm logging on\n            Iocall)\' 10 the server. the proper DHS warning and pri\\\'aq\' banners arc provided for all user.; and\n            candidates accessing the system, We wcre aware ofthesc issues. but the application pro\\ider was\n            not willing to change the sellings because it would cause undue burden on the application\'s\n            operating capability. Due 10 the fact that the TALENTLink system is being decommissioned and\n            will be shut-down on 26 June 2010. we do not r\xc2\xabQmmend the creation ofa POA&M,\n\n\n\n\n  Management Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                  Systems Consolidation Effort\n \n\n\n                                                          Page 28 \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n            180ss Vulnerability; This nJlnerability was identified prior to the O[G scan; however. a new\n            build \\\\as required and not all zones recci\\\'ed the new build prior to the scan. The \'lUlnerabi1it~\'\n            has since been remcdiated in all zones.\n\n            Recommendation 8 - Concur\n            Although we: agree \\\\;th the intent ofthe ~ndation. DHS policy does not suppon the\n            pc:rfonnance: or security testing on another agency\'s IT S)\'Stems. Based on DHS policy. the\n            connection is to be well-documented with emphasis on the responsibilities ofthc: two\n            organizations including maintaining valid ATO. incident reponing, training and awareness. etc.\n            OCHCO will include specific language: in future Memoranda of AgreementlUndeTStanding to\n            document mutual rc:sponsibilit)\xc2\xb7 and roles for seeurity systems.\n\n            Recommendation 9 - Concur\n            The: HRIT s)\'slems cited. in the report are: considered Extemallnformation S)\'stems (\xc2\xa31$). Thc:sc:\n            S)\'stcrns arc: managed by another !lO\\\'c:mment agency and arc provided as a paid ser",ice for DHS\n            use. The responsibility for Ccnificalion and Accrc:dilation (C&A) ofthc:se S)\'stmls is solei)\' that\n            of the host. gO\\\'cmmcnt agmcy. OCHCO will strengthen the Memorandum of\n            Agrccmc:ntsIUndc:manding be:twcc:n the other !lO\\\'cmmcnt agmcics to dearly delineate the\n            responsibility for the systems to be squarel)\' on the host. gO\\\'Crllfnetlt age:ncy and that results are:\n            available to OCHCO.\n\n            Recommendation 10 - Concur\n            The HR[T systems cited in the report are considered EIS, These systems are: managed by another\n            government agency and arc: provided as a paid service lor DI-IS use. The responsibility for\n            security and management ofthesc systems is solely that ofttle host government agency. 11K:\n            POA&M deficiencies noted in this report are oot DHS specific. and OPM has made significant\n            progress in the: c1osw\'c ofover 100 POA&M items noted during prior year assc:ssmc:nts of the\n            EHRI S)\xc2\xb7stems.\n\n            Recommc:ndation II - Concur\n            WebTA is cunently being recorded in the OCIO inventOf)\' as an EIS. The s)\'Ste:m is managed by\n            the U.S. Departme:nt of Agriculture: (USDA) as pan of their lI\'UItldate to be a provider of this t}\'PC\n            of SC\'TVice: for other go\\\'e:mment agencies. The responsibility for security and management of this\n            system is clearly delineated as a USDA responsibility. However. OHS must decide to accept the\n            NFC line ofcodc where NFC would then 0\\\\1I1he C&A responsibility or OilS must o\\\\-lIlhe\n            system and acccplthe C&A responsibility. HeBS slall\'is currently working this issue with\n            OCl0.\n\n            Thank )\'ou for the opponunity to woO: with }\'our staff on this Audit. Should }\'ou have: any\n            questions. please call me at (202) 357-8151. or your stall\' may contaet Vince Micone. Chiefof\n            Staf( at (202) 357-&-\xc2\xab18.\n\n            cc:     Chieflnformation Officer\n\n\n\n\n  Management Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                  Systems Consolidation Effort\n \n\n\n                                                           Page 29 \n\n\x0cAppendix C\nMajor Contributors to this Report\n\n                        Information Security Audit Division\n\n                        Edward Coleman, Director\n                        Chiu-Tong Tsang, Director\n                        Mike Horton, Information Technology Officer\n                        Aaron Zappone, Team Lead\n                        Amanda Strickler, Information Technology Specialist\n                        Michael Kim, Information Technology Auditor\n                        Nazia Khan, Information Technology Specialist\n\n                        Beverly Dale, Referencer\n\n\n\n\n  Management Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                  Systems Consolidation Effort\n \n\n\n                                              Page 30 \n\n\x0cAppendix D\nReport Distribution\n\n                        Department of Homeland Security\n\n                        Secretary\n                        Deputy Secretary\n                        Chief of Staff\n                        Deputy Chief of Staff\n                        General Counsel\n                        Executive Secretariat\n                        Assistant Secretary for Policy\n                        Assistant Secretary for Office of Public Affairs\n                        Assistant Secretary for Office of Legislative Affairs\n                        Under Secretary for Management\n                        Deputy Under Secretary for Management\n                        Chief Human Capital Officer\n                        Chief Information Officer\n                        Chief Information Security Officer\n                        Director, Compliance and Technology Information Security Office\n                        Deputy Director, Compliance and Technology Information\n                        Security Office\n                        Information System Security Manger, ITSO, Headquarters\n                        Services Division\n                        Audit Liaison, OCIO\n                        Director, GAO/OIG Liaison Office\n\n                        Office of Management and Budget\n\n                        Chief, Homeland Security Branch\n                        DHS OIG Budget Examiner\n\n                        Congress\n\n                        Congressional Oversight and Appropriations Committees, as\n                        appropriate\n\n\n\n\n  Management Oversight and Component Participation Are Necessary to Complete DHS\xe2\x80\x99 Human Resource \n \n\n                                  Systems Consolidation Effort\n \n\n\n                                              Page 31 \n \n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'